Risk and Opportunity Register - Master Sheet 
Date 
raised 


Opportunity/risk description (opportunities 
shaded in blue) 


No. Date raised 


1 30/07/18 R46 Financial Resilience: (Cause) Risk that 
sensitivities in the income growth forecast and 
new territories of expenditure create 
inaccurate financial forecasting and planning 
assumptions (Threat) leading to insufficient 
funding and financial stress (Impact) impeding 
the ICO’s ability to meet its statutory 
requirements, and full delivery of all of its 
intended IRSP goals and outcomes. 

2 01/04/17 R4 Capacity and Capability: (Cause) Risk that 
increasing demand, public and stakeholder 
expectations, and/or additional unplanned 
work and/or reduced availability of staff 
results in (Threat) key resources being 
overstretched and having insufficient capacity 
to deliver all business plan requirements, 
(Impact) resulting in business operational 
issues and pinch points, possible failure to 
deliver regulatory priority activities and 
impacting upon the ICO’s ability to deliver all 
of its intended objectives and outcomes. 


3 30/04/19 R73 Compliance culture: (Cause) Risk that as 
demand and capacity increase and/or changes, 
the ICO’s infrastructure and accountability 
culture is unable to (Threat) keep up with the 
pace of change to comply with legal and other 
obligations expected of a modern regulator 
(Impact) impacting upon its ability to maintain 
and increase public trust and be an effective 
and knowledgeable regulator. 


Risk Appetite 
area 


Infrastructure 
and resources 


Infrastructure 
and resources 


Organisational 
controls and 
compliance 


Risk appetite 


Open 


Open 


Cautious 


IRSP Goals Current Current Current 
Probability Impact Overall 
priority 

4 5 4 

4 5 4 

4 4 4 


Direction Strategic Target 


Probability 


Target 
Impact 


Corporate 


Corporate 


Corporate 


Target 
Overall 
Priority 


Risk and Opportunity Register - Master Sheet 
No. Date raised Date Opportunity/risk description (opportunities Risk Appetite Risk appetite IRSP Goals Current Current Current Direction Strategic Target Target Target 
raised shaded in blue) area Probability Impact Overall Probability Impact Overall 
priority Priority 


4 28/06/17 R3 


Regulatory Cautious 


enforcement 


Corporate 


5 22/09/18 R26 Improving Productivity: (Cause) Risk that Organisational 
growth in the ICO’s investment in change and 
infrastructure, people and process resources development 
(Threat) is not effectively utilised to reduce 

contradictory and duplication of efforts, 

minimise delivery gaps, exploit new business 

models and maximise best use of ICO 

resources such that (Impact) whilst the ICO 

grows it does not improve efficiency and 

productivity and is no better placed to achieve 

the ICO’s IRSP goals and corporate outcomes. 


Open 


Corporate 


6 06/04/20 R84 Major Incident: (Cause) Risk that an internal or Infrastructure Open All goals 5 3 
external major incident occurs (e.g. extreme and resources 
weather, fire incident, chemical incident, 
pandemic (e.g. Covid-19), or deliberate 
incidents such as terrorist acts) which renders 
the ICO unable to utilise part or all of its 
resources and infrastructure (such as staff, 
buildings, IT systems etc) such that (Threat) the 
ICO is unable to deliver some, or in extreme 
cases all of its regulation services, (Impact) 
increasing public information rights risk for a 
period of time and resulting in a reduced 
achievement of the IRSP Goals over the longer 
period. 


Corporate 
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No. Date raised Date Opportunity/risk description (opportunities Risk Appetite Risk appetite IRSP Goals Current Current Current Direction Strategic Target Target Target 
raised shaded in blue) area Probability Impact Overall Probability Impact Overall 
priority Priority 

7 06/04/20 R85 + Managing ICO Reputation: (C) Risk that Reputational Cautious All goals 3 4 New Corporate 


decisions are taken without giving due 
consideration to the strategic reputational 
impact on the ICO (T) such that action is not 
taken at the right time to proactively and 
effectively manage the reputation of the ICO 
(I) impacting upon the ICO’s ability to increase 
public trust and confidence, provide excellent 
public service and to demonstrate that it is an 
effective and knowledgeable regulator. 


8 30/06/17 R2 Organisational 
change and 


development 


Open Same <> Corporate 


Statutory Codes: (Cause) Risk that significantly Regulatory 
complex and contentious subject matter (e.g. guidance and 
economic impact), alongside competing strategy 
stakeholder audience expectations slows the 

drafting and implementation of Statutory 

Codes of Conduct such that (Threat) the ICO is 

unable to deliver the Codes within required 

timescales and to the desired quality through 

the eyes of external stakeholders (Impact) 

impacting negatively on the ICO’s reputation 

and relevance as a regulator to deliver across 

all stakeholders, decreasing its public trust, 

influence and effectiveness. 


9 27/09/18 R10 Same <> Corporate 


10 13/04/18 R11 _ICO fails to deal with issues arising from Regulatory Cautious 5 3 4 Same <> Corporate 
Operation Cederberg in a timely and effective investigation and 
way; in particular in relation to the public intervention 


challenge to ICO regulatory decisions. 
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No. 


11 


12 


13 


14 


Date raised 


19/02/19 


19/09/18 


27/11/18 


01/04/17 


Date 
raised 


R71 


R8 


R61 


R29 


Opportunity/risk description (opportunities Risk Appetite 
shaded in blue) area 


Reputational 


ICO fails to maintain and develop strategic 
international relationships which impact on UK 
global data protection and privacy concerns’ — 
this covers EU and US relationships as well as 
other international relationships which are 
needed to UK public’s interests are protected 


Reputational 


Litigation Resource: (Cause) Risk that multiple Infrastructure 
or a single significant legal challenge or trend and resources 
emerges (Threat) diverting significant financial 

and non-financial resources into possibly 

lengthy legal disputes (Impact) impacting upon 

the ICO’s ability to legally defend itself which 

could have a domino effect on its decision 

making, its financial resilience, its reputation as 

an effective regulator and diluting its 

operational ability to achieve all of its IRSP 


goals. 

Technology Relevant Regulator: (Cause) Staff 
Insufficient resources, knowledge, training and recruitment, 
external engagement prevent the ICO from retention and 
(Threat) engaging with and effectively development 


regulating emerging technology-based threats 
to information rights (Impact) such that is 
impeded in fully achieving all of its IRSP goals, 
in particular goal #6 and results in poor 
reputational perception of the ICO as a 
relevant regulator for cyber related privacy 
issues. 


Risk appetite 


Cautious 


Cautious 


Open 


Cautious 


IRSP Goals 


Current 
Probability 


Current 
Impact 


Current 
Overall 
priority 


Direction Strategic 


Same <> Corporate 


Same <> Corporate 


Up ™ Corporate 


Same <> Corporate 


Target 
Probability 


Target 
Impact 


Target 
Overall 
Priority 
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No. 


15 


16 


17 


18 


Date raised 


08/03/19 


26/01/18 


02/09/19 


06/04/20 


Date 
raised 


R72 


R1 


R81 


R83 


Opportunity/risk description (opportunities Risk Appetite 


shaded in blue) area 
SMOs: (Cause) Risk that the ICO does not Regulatory 
sufficiently recognise and act on the needs of guidance and 
small organisations such that the ICO (Threat) strategy 


does not provide SMOs with value for money 
relevant services resulting in (impact) low 
levels or awareness, poor trust and 
information rights practices from SMOs 
impacting upon the ICO’s delivery of the IRSP 
goals around increasing public trust and 
confidence, improving standards of practice 
and being an effective regulator. 


The way we exit the European Union, and the 
accompanying uncertainty, impacts on our 
ability to deliver functions, including significant 
impact on ICO services supporting businesses. 
In particular in relation to the status of 
transfers, legal cooperation and the ICO's role 
in EDPB. 


Reputational 


Staff 
recruitment, 
retention and 
development 


Management Board and Executive Team 
capacity and resilience may not be sufficient to 
retain clarity of leadership and direction during 
a critical period of change to the regulatory 
landscape resulting in delay to the 
achievement of the IRSP goals and operational, 
regulatory and organisational priorities 


Organisational 
change and 
development 


Risk appetite 


Open 


Cautious 


Cautious 


Open 


IRSP Goals Current Current Current 
Probability Impact Overall 
priority 
1,2 3 4 
1,2,3 3 3 
4 3 3 
1,6 3 3 


Direction Strategic Target 


Probability 


Target 
Impact 


Same <> Corporate 


Down | Corporate 


Same <> Corporate 


New 


Corporate 


Target 
Overall 
Priority 
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No. Date raised Date Opportunity/risk description (opportunities Risk Appetite Risk appetite IRSP Goals Current Current Current Direction Strategic Target Target Target 
raised shaded in blue) area Probability Impact Overall Probability Impact Overall 
priority Priority 

51 01/04/18 R21 Cyber Security: (Cause) Risk that although the Security Averse 6 2 3 Same <> Corporate 


ICO is continuously vigilant with its cyber 
security controls that as the ICO’s profile 
increases and it innovates with new 
technology systems, (Threat) it becomes 
increasingly at risk of a security breach, either 
malicious or inadvertent from within the 
organisation or from external attacks by cyber- 
criminals. (Impact) This could result in many 
negative impacts, such as distress to 
individuals, legal, financial and serious 
reputational damage to the ICO, possible 
penetration and crippling of the ICO’s IT 
systems preventing it from delivering its 
regulatory functions and IRSP goals 


63 06/04/20 R86 Political and Economic Environment: (Cause) Regulatory Open 4,5 and 6 2 2 New Corporate 
Risk that the ICO doesn't have the plans or the guidance and 
ability to respond to changes in the economic strategy 


climate, government policy or to government 
attitudes and reviews, meaning that the ICO 
doesn't (Threat) adapt and flex quickly enough 
or in the right way to meet changing 
stakeholder views and needs (Impact) 
preventing the achievement of the IRSP goal to 
be an effective and efficient regulator. 
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No. Date raised Date Opportunity/risk description (opportunities Risk Appetite Risk appetite IRSP Goals Current Current Current Direction Strategic Target Target Target 

raised shaded in blue) area Probability Impact Overall Probability Impact Overall 

priority Priority 


